Sudo

From Unix SME

Sudo

Description

Allows you to execute a command as another user and by default requires a password. It can be configured in the /etc/sudoers file to not require a password when running certain commands or all commands (very dangerous)

Examples

Sudoers file

An example of a sudoers file:

<code class="language-bash">##  
## User privilege specification  
##  
root ALL=(ALL:ALL) ALL  
## Uncomment to allow members of group wheel to execute any command  
# %wheel ALL=(ALL:ALL) ALL  
  
## Same thing without a password  
%wheel ALL=(ALL:ALL) NOPASSWD: ALL  
  
## Uncomment to allow members of group sudo to execute any command  
%sudo ALL=(ALL:ALL) ALL
</code>

Explanation

root specifies the user that the rule is being applied to ALL= rule applies to all hosts. (ALL: rule says that the user can run all commands as all users ALL) rule says that the user can run all commands as all groups ALL says that it applies to all commands

root ALL=(ALL:ALL) ALLthe root user has all access with sudo (it has all system access regardless) and can run all commands with sudo

%wheel ALL=(ALL:ALL) NOPASSWD: ALL The wheel group does not require a password to run commands as root.

%sudo ALL=(ALL:ALL) ALL The sudo group has access to sudo and can run all commands as sudo but requires a password

Example -l

sudo -l see what commands a user can run with sudo, example output:

<code class="language-bash">Matching Defaults entries for test on test-computer:  
editor=/usr/bin/micro, insults, pwfeedback  
  
User test may run the following commands on test-computer:  
(ALL) ALL
</code>

the output specifies that the test user may run all commands as all users and groups.

Example help

sudo --help displays the help page for the command sudo, example output:

<code class="language-bash">sudo - execute a command as another user  
  
usage: sudo -h | -K | -k | -V  
usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]  
usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user]  
[-u user] [command [arg ...]]  
usage: sudo [-ABbEHkNnPS] [-C num] [-D directory]  
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]  
[-u user] [VAR=value] [-i | -s] [command [arg ...]]  
usage: sudo -e [-ABkNnS] [-C num] [-D directory]  
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]  
[-u user] file ...  
  
Options:  
-A, --askpass                 use a helper program for password prompting  
-b, --background              run command in the background  
-B, --bell                    ring bell when prompting  
-C, --close-from=num          close all file descriptors >= num  
-D, --chdir=directory         change the working directory before running  
command  
-E, --preserve-env            preserve user environment when running command  
--preserve-env=list       preserve specific environment variables  
-e, --edit                    edit files instead of running a command  
-g, --group=group             run command as the specified group name or ID  
-H, --set-home                set HOME variable to target user's home dir  
-h, --help                    display help message and exit  
-h, --host=host               run command on host (if supported by plugin)  
-i, --login                   run login shell as the target user; a command  
may also be specified  
-K, --remove-timestamp        remove timestamp file completely  
-k, --reset-timestamp         invalidate timestamp file  
-l, --list                    list user's privileges or check a specific  
command; use twice for longer format  
-n, --non-interactive         non-interactive mode, no prompts are used  
-P, --preserve-groups         preserve group vector instead of setting to  
target's  
-p, --prompt=prompt           use the specified password prompt  
-R, --chroot=directory        change the root directory before running command  
-S, --stdin                   read password from standard input  
-s, --shell                   run shell as the target user; a command may  
also be specified  
-T, --command-timeout=timeout terminate command after the specified time limit  
-U, --other-user=user         in list mode, display privileges for user  
-u, --user=user               run command (or edit file) as specified user  
name or ID  
-V, --version                 display version information and exit  
-v, --validate                update user's timestamp without running a  
command  
--                            stop processing command line arguments
</code>

Example package manger

sudo dnf install python runs the dnf package manager as root to install python

Example systemctl (services)

sudo systemctl status ntpdate.service checks the ntpdate service, example output:

<code class="language-bash">[sudo] password for test:  
○ ntpdate.service - One-Shot Network Time Service  
Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; preset: disabled)  
Active: inactive (dead)
</code>

example-login-with-sudo

sudo -i -u test login as another user, the test user.

Retrieved from "http://www.unixsme.org/index.php?title=Sudo&oldid=260"